Introduction:

JumpServer provides users with both web-based RDP(Web GUI) access and native MSTSC(Remote Desktop) access to connect to target Windows assets simultaneously. 

These two connection methods are respectively provided by the Lion component and the Razor(X-Pack) component.

If you encounter any issues, please refer to the following documentation for troubleshooting based on the connection method and error messages.

Server trace files are stored in the /data/jumpserver/lion/data/logs/ or /data/jumpserver/razor/data/logs/ for reference during troubleshooting. 

Common Issues of Lion(Web GUI)

1. Network Error

Issue:

The reason for this problem may be due to network connectivity issues, firewall restrictions, security software, or other factors that prevent the JumpServer from connecting to the Windows asset's port 3389, rendering the JumpServer unable to ping the Windows asset.

Troubleshooting tips: 

1. Check the system platform and corresponding port of the Windows asset on the JumpServer system.

2. Ensure that port 3389 is open and accessible from the JumpServer to the Windows asset. You can find integrated Telnet and Ping tools in the "System Settings" section of the JumpServer under the "Tools". category.

3. Verify if the firewall on the Windows asset restricts access from the JumpServer.

4. Review the security group policies on the Windows asset.

2. Credentials Expired

Issue:

The reason for this problem may be due to errors in the asset's system platform, incorrect login user password, or expired user authorization.

Troubleshooting tips: 

1. Change the asset's system platform to "Windows-TLS" or try another Windows platform.

2. Use MSTSC on a personal PC to log in to the Windows asset, update the corresponding account password, and update the account password in the account list of the corresponding asset.

3. Check the user's authorization rules for logging into the asset to confirm if the authorization rules have expired.

3. Auth Error

Issue:

The reason for this problem may be due to incorrect username/password input or errors in the system platform of the asset.

Troubleshooting tips: 

1. Verify that the username and password for the account are correct. When logging into a Windows asset with a domain account, the account format can be username@domain or domain\username. If domain information is configured in the system platform, you may only need to input the username.

2. Change the asset's system platform to "Windows-TLS" or try another Windows platform.

3. When encountering the mentioned error while logging in with a blank account on Windows 2019, navigate to "System Properties → Remote → Disable 'Allow connections only from computers running Remote Desktop with Network Level Authentication'".

4. Aborted. See Logs

Issue:

The exact reason for this problem is unclear and requires examination of the lion.log on the JumpServer backend server and the event manager of the asset to analyze the cause of this issue.

When Alibaba Cloud's Windows asset enables SMS verification, this error may also occur when accessing it through JumpServer. In this scenario, there is currently no known solution for this problem.

Troubleshooting tips: 

1. If the problem is due to Remote Desktop Services expiration, you will need to purchase the corresponding Remote Desktop Services license.

2. If the issue is related to security protocol layers, you can modify the security protocol on Windows by following these steps: Group Policy Editor (Win+R, enter gpedit.msc) → Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Security. Modify the corresponding remote connection protocol from the default "Not Configured" state to "Enabled" to align the security layer with the system platform.

5. Upstream Error

Issue:

The reason for this problem may be due to a reverse proxy on the frontend without session persistence configured. In this scenario, you can check the logs of the Lion component.

Troubleshooting tips: 

1. Add session persistence to the reverse proxy configuration.

2. Check the remote session configuration of the Windows asset to see if authentication is enabled. If it is enabled, disable authentication.

6. Session Conflicts

Issue:

The cause of this problem may be due to the asset connection being forcibly terminated, indicating that someone else is using the same account to log into the Windows asset.

Troubleshooting tips: 

1. Ensure that each user logs into Windows using different system accounts.

2.Increase the number of connections for the asset. To do this, follow these steps: Group Policy Editor (Win+R, enter gpedit.msc) → Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Connections → Limit number of connections .

3. Disable the restriction of Remote Desktop Services users to a single Remote Desktop Services session. To disable this, follow these steps: Group Policy Editor→ Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Connections → Restrict Remote Desktop Services users to a single Remote Desktop Services session → Disable.

7. Session Conflicts

Issue:

The reason for this problem may be due to the account being locked or the password expiring.

Troubleshooting tips: 

Try logging in using MSTSC on a personal PC, unlock the account, or update the account's password.

8. Access Denied

Issue:

The reason for this problem may be due to the deployment of JumpServer in a multi-node architecture where LB proxying is causing the issue due to the round-robin load balancing rules.

Troubleshooting tips: 

1. Check the load balancing rules on the frontend. For Nginx, ensure that the load balancing rule is set to ip_hash.

2. Check the load balancing rules on the frontend. For Alibaba Cloud load balancers, enable session persistence.

3. Check the load balancing rules on the frontend. For AWS load balancers, enable sticky sessions with a minimum validity period of at least 1 day.

9. 502 Bad Gateway

Issue:

The problem may arise due to component abnormalities or incorrect routing configurations for Lion in the Nginx configuration of jms_web.

Troubleshooting tips: 

1. Check the status of the Lion component. If it is abnormal, you can restart the Lion container by executing the command docker restart jms_lion.

2. Verify the routing configuration for the Lion component in the Nginx configuration of the jms_web component to ensure its correctness.

10. Core API Error

When attempting to connect to a Windows asset using the WEB GUI, an error popup displays "Core API Error"

Issue:

The issue may be caused by an exception in the API interface of the JumpServer service backend.

Troubleshooting tips: 

1. Check the jumpserver.log for any relevant error messages and handle them accordingly.

2. Use docker ps to check the status of the components. If the Lion component is abnormal, restart the Lion component using the command: docker restart jms_lion.

3. If there have been updates to the network settings of the JumpServer backend server, consider restarting the Docker service and then restarting the JumpServer service after the network changes.

11. Unexpected black screen or loading spinner

Issue:

This issue may be caused by the security layer protocol of Windows Remote Desktop Connection, preventing JumpServer from establishing a proper connection to the asset through the configured settings.

Troubleshooting tips: 

1. Ensure that port 3389 is open and accessible from the JumpServer to the Windows asset. You can find integrated Telnet and Ping tools in the "System Settings" section of the JumpServer under the "Tools". category.

2. Verify if the firewall on the Windows asset restricts access from the JumpServer.

3. Modify the Windows asset platform to either "Windows-tls" or "windows-rdp" according to the Windows Remote Desktop security layer configuration.

4. If NLA is enabled on an RDP server using the TLS security layer, the server ignores the Always prompt for password option. Users are not prompted for passwords. If you‘re not familiar with that please try to switch off/on the NLA option.

Common Issues of Razor(Remote Desktop)

1. Native MSTSC Unexpectly Crash or Flashback

Issue:

When attempting to connect to a Windows asset using an RDP client, there are no error pop-ups, and the MSTSC application crashes immediately upon launch.

Potential Causes:

1. Network connectivity issues between the Windows asset and JumpServer.

2. Port communication issues between the Windows asset and the  JumpServer.

3. Incorrect account/password used to log into the Windows asset.

4. Incorrect gateway information.

5. Security layer policies not enabled or incorrect security protocol mismatch with the system platform.

Troubleshooting tips: 

1. Directly connect to the asset using MSTSC from a personal PC to verify the correctness of the account and password.

2. Connect to the asset using the Web GUI to check network and port settings.

3. Check the Razor logs to ensure the correctness of the token and gateway information. You can view Razor logs using the command: docker logs -f jms_razor --tail 100.

4. On the Windows asset, open the Event Viewer to inspect the reasons for login failures.

5. If NLA is enabled on an RDP server using the TLS security layer, the server ignores the Always prompt for password option. Users are not prompted for passwords. If you‘re not familiar with that please try to switch off/on the NLA option.

2. Copy-paste Not Working

Issue:

When connecting to a Windows asset using RDP, the copy-paste functionality does not work, and there is no response when attempting to paste text.

Potential Causes:

The issue may be due to a failure in the RDP clipboard process, resulting in zombie processes.

Troubleshooting tips: 

1. In Task Manager, end the RDP clipboard monitoring process and then try copying and pasting again.

2. If restarting the clipboard process does not resolve the issue and it does not impact normal operations, consider restarting the Windows server.

3. Server Authentication Certificate Failures

Issue:

The reason for this problem may be that the SSL certificate configured in the load balancer does not match the certificate on the JumpServer node when accessing the JumpServer page via HTTPS.

Troubleshooting tips: 

1. Update the SSL certificate on either the load balancer node or the JumpServer node to ensure that the certificates match between the load balancer node and the JumpServer node.